Hypothetical Linux Malware Question.

I understand that Linux is significantly more secure than Windows in many ways.

But if a piece of software convinces the user it's safe and something they want to install and give root privileges to is there anything stopping it doing whatever it wants? For example deleting/modifying system folders, reconfiguring grub, deleting partition table etc?

I'm not trying to scare monger just a question I've thought about for a while.

Re: Hypothetical Linux Malware Question.

Originally Posted by mike_smith2

I understand that Linux is significantly more secure than Windows in many ways.

But if a piece of software convinces the user it's safe and something they want to install and give root privileges to is there anything stopping it doing whatever it wants? For example deleting/modifying system folders, reconfiguring grub, deleting partition table etc?

I'm not trying to scare monger just a question I've thought about for a while.

Idiot proofing shouldn't become a goal for PCs in my opinion. Let smartphones and tablets take care of protecting people from the damages of clicking 'OK' to everything willy nilly. PCs should be for serious study, work and experimentation, and in such a scenario we need a 'admin' mode which can do everything possible by the hardware itself. Allowing such a mode thoughtfully should be the responsibility of the user.

It's not that hard as long as you think about what you're doing, read-up the available documentation/tutorials, seek help on forum in case of further doubt, and use plain common sense. I've used various Windows versions from 98 and Linux since the early Mandrake days and never once caught a virus or malware, except a few false positives.

And to answer your question, no, once a process has root privileges it can do absolutely anything. Only the BIOS/firmware could possibly prevent it, and most BIOSes wont.

Re: Hypothetical Linux Malware Question.

root privs usually requires explicit password entry.
If root is enabled and the user downloading p0wn3d.sh had a visudo entry that specified NOPASSWORD, he'd be in trouble if he ran it.

I believe the root account is disabled in Ubuntu and requires some very explicit steps to enable it.

Now, if the user doing the downloading is root, well, for shame.

Hypothetically. An Ubuntu user visits a website that asks them to download FlashPlayer.sh the pop-up explains how to install it with all the official Adobe FlashPlayer logos, they get the normal pop up asking for there account password and they enter it, seems totally plausible.

What if Ubuntu (or whatever distro) had a large set off processes/terminal commands (etc, to be honest I know very little of the inner working of Linux) that it warned the user of being "Potentially Malicious"?

If I'm setting up a new Ubuntu install I'll receive the password pop up perhaps a dozen times in a couple hours, do you think people get desensitized to it?

Originally Posted by santosh83

And to answer your question, no, once a process has root privileges it can do absolutely anything. Only the BIOS/firmware could possibly prevent it, and most BIOSes wont.

I thought so, kinda scary but like you said people should have the power to do whatever they want.

Re: Hypothetical Linux Malware Question.

Sorry this question is going to make me look a bit dim but if a user is allowed to use the "Sudo" command (or the whatever Linux uses when the user receives a GUI popup asking for there password) in which they enter there own password, that has all the permissions of root right?

Re: Hypothetical Linux Malware Question.

Originally Posted by mike_smith2

Hypothetically. An Ubuntu user visits a website that asks them to download FlashPlayer.sh the pop-up explains how to install it with all the official Adobe FlashPlayer logos, they get the normal pop up asking for there account password and they enter it, seems totally plausible.

You mean installing something from a malicious website impersonating as Adobe? In that case, screwed just as much as a Windows guy. Unless you can install the software purely as a non-privileged user, in which case using the software would at most mess up the user's account. If that user had privileges to use sudo and the malicious software asked him to do so, and he did, then again screwed.

What if Ubuntu (or whatever distro) had a large set off processes/terminal commands (etc, to be honest I know very little of the inner working of Linux) that it warned the user of being "Potentially Malicious"?

You mean like a blacklist? But a blacklist of what? Virus scanners do exist for Linux but they aren't as sophisticated as for Windows since so far malware hasn't got a foothold on Linux yet.

If I'm setting up a new Ubuntu install I'll receive the root password pop up perhaps a dozen times in a couple hours, do you think people get desensitized to it?

That's a possibility, but unless you login as root (which is disabled under default Ubuntu configuration) you'll have to enter the passwords each and every time. There's a way to tell sudo to increase the time period during which it won't ask for reauthentication, but I'm not sure if you can do the same for the graphical version as well.

Note that during a standard Ubuntu install no password is set for root at all. The first created user is simply given the privilege to use his password to gain superuser powers, but he won't become the root user by that, and his password isn't the root user password.

Re: Hypothetical Linux Malware Question.

Originally Posted by mike_smith2

Sorry this question is going to make me look a bit dim but if a user is allowed to use the "Sudo" command (or the whatever Linux uses when the user receives a GUI popup asking for there password) in which they enter there own password, that has all the permissions of root right?

As far as I understand, for a specific command, sudo gives all the powers of root. But it is fine grained and very configurable, and not the same as actually logging in as root or su'ing as root. These pages better explains the differences than I could:

Re: Hypothetical Linux Malware Question.

We don't delete threads, other than occasionally moving them to areas of the Forum that cannot be viewed by any but the staff.

Nothing that has been said here is a secret and this thread is not likely to expose any loophole not already known.

As for the general theme of the thread, what you've been talking about is social engineering -- which is just as dangerous in Linux as in Windows.

How would anyone "flag" particular commands to protect the user from him/herself? If you did that, then you would still have to let the user say "Oh, it's OK. I really do want to do that!" because something might actually need to be done. In that case the "protection" would just have been thwarted by the same social engineering.

While it is feasable to include a great number of protections against possibly malicious unattended processes, protecting against all possible malicious attended processes allowed by a user with appropriate privileges would make the OS useless.

The only truly "secure" OS is the one never booted.

Please read The Forum Rules and The Forum Posting GuidelinesMy Blog
A thing discovered and kept to oneself must be discovered time and again by others. A thing discovered and shared with others need be discovered only the once.This universe is crazy. I'm going back to my own.